Three open-source projects haved joined together to announce a new partnership to create an open, verifiably secure mobile ecosystem of software, services and hardware. Led by the work of the Toronto-based CopperheadOS team on securing the core Android OS, Guardian Project and F-Droid have joined in to partner on envisioning and developing a full mobile ecosystem. The goal is to create a solution that can be verifiably trusted from the operating system, through the network and network services, all the way up to the app stores and apps themselves. Through a future planned crowdfunded and commercial offering, the partnership will provide affordable off-the-shelf solutions, including device hardware and self-hosted app and update distribution servers, for any individual and organizations looking for complete mobile stacks they can trust.

CopperheadOS is a hardened open-source Android based on AOSP, that is available for download and installation on many Nexus devices. The Guardian Project develops popular free and open-source privacy-enhancing apps like Orbot (Tor for Android), ChatSecure, and ObscuraCam, and software libraries like NetCipher, SQLCipher and PanicKit, for developers who want to enable similar features in their own apps. F-Droid is an installable catalogue of free and open source Android software, that is built into CopperheadOS, as the default app store. It enables decentralized and verifiably secure app distribution by any individual or organization.

“I have been a happy CopperheadOS user since the first moment I installed it”, says Nathan Freitas, Founder and Director of Guardian Project, ” even with running it on a two-generation old, very inexpensive Nexus 5 device. I know I will always have the latest security updates immediately, and that everything on my device is under my control.”

Hans-Christoph Steiner who leads the Guardian Project’s developer platform says “Copperhead with F-Droid and Orbot provides all of the benefits of a smartphone, without the security and privacy downsides introduced by the major vendors, carriers and closed app stores. By building in F-Droid, Copperhead guarantees its users have direct access to the best free and open software, built directly from source-code in a trusthworthy, verifiable way”. Mr. Steiner presented on his work with F-Droid and building “private, unblockable app stores” at FOSDEM 2016 in January.

Collectively, this partnership creates a global team of information security researchers, forensic analysts, software developers, designers and engaged users, looking to move the state of the art forward for open, verifiably secure and privacy-enhancing mobile technology. The groups hope to expand the effort to include other mobile OS teams, application developers and even hardware developers interested in having the same kind of impact on the privacy and security of mobile computing.

James Donaldson of Copperhead says “It’s important for Android users to have a privacy minded viable alternative to closed-source solutions when contemplating mobile security. Teaming up with great partners like F-Droid and Guardian Project allows us to offer our users both security and a great experience with all of the core features they need.”

Guardian Project is an open-source effort based in New York, with a global community of contributors and partners. Copperhead is an information security firm located in Toronto, Canada, specializing in protecting data and devices from unauthorized access. F-Droid is a non-profit volunteer project, and is operated by F-Droid Limited, a non-profit organisation registered in England (no. 8420676).

Why is The Guardian Project recommending we use builds from an unknown “security” organization with no transparency with regards to the build processes or the organizations other functions/business? Should builds for a secure operating system be done using the Debian model of open governance and transparency?

Also with regards to their Kickstarter for an open source project the money is going to go to a private corporation with no accountability for how the money is spent. Is it not best to donate money directly to the single developer of CopperHeadOS instead of a shady organization?

They also seem to utilize services that are possible Honeypot operations by state sponsored actors, ie OpenShift and Cloudflare. Both of which are utilized to provision OTA updates, which seems like the biggest backdoor ever.

The goals for openness and transparency in the development and build process, and even a fully reproducible OS, is what this effort is about. We are obviously not there yet. We trust Copperhead because we have met and worked with them, we have used the product, and done initial audits that it does what is claims.

Saying that Copperhead is shady and that they are some faceless private corporation is just nonsense. It is a small business located in Toronto made up of the developers of CopperheadOS. The fact that they are have a registered business is way to protect their personal lives and liability. From what I have seen, they work extremely hard, and have invested a huge amount of time in this effort without any money at all. They have already proven they can be trusted, and we feel they are worthy of support from a crowdfunding effort.

Finally, the choice of a Cloudflare frontend on their site is purely again their effort as a small company to protect from online attacks. That said, we agree there should be other ways to access the firmware and OTA updates in a verified way, without going through Cloudflare. This is something that can definitely be addressed.

The over-the-air updates are signed and automatically verified. The update server isn’t blindly trusted. The factory images are signed with GPG so they can be verified too. It’s not a backdoor in any sense. There was 43GiB of bandwidth used in the past 24 hours, and that’s only going to grow much larger. Debian has an HTTP link to their netinstall image on their homepage, with no link to the signature: https://www.debian.org/. It comes from an arbitrarily chosen (some kind of load balancing) untrusted third party mirror, run by anyone who applies. That’s a lot worse than having CloudFlare in front of a Red Hat cloud server, with signatures provided and automatically verified in the case of updates. Red Hat provides us with a generous OpenShift grant so our hosting is entirely free.

The builds are all performed and signed locally. The build process is fully documented so users can build it from source themselves and sign it with their own keys, with the updater informing them of new updates that they’ll need to build on their own. The releases aren’t yet tagged because we need to figure out how to do that in a way that will work well with repo and it hasn’t been a priority. It’s going to take a lot of work to make Android builds reproducible and it should probably be done upstream rather than only in CopperheadOS. They’ve taken many of our changes and I don’t think they would reject fixes making builds reproducible since there is no drawback.

Having a corporation is important, otherwise adversaries could go after us in the legal system as individuals. The corporation doesn’t need to have many assets so it shields the project from legal liability and gives us a framework for funding the work. The two people behind CopperheadOS (myself and James) each own 50% of it. There are no other investors, and there won’t be, as mentioned in our post. It really doesn’t matter where the crowdfunding money goes. It ends up in the same place. Why is a corporation shady, but a non-profit organization is not? We would still just be transferring 100% of the money to ourselves in a non-profit, but we would have to declare it as income from a salary rather than being able to reduce the tax burden with options like dividends. It’s a legal/economic decision, not one with an impact on OS development. A non-profit really wouldn’t work well, because software isn’t treated as a valid form of charity in Canada. A private corporation owned by individuals isn’t comparable to a public one. It represents the collective interests of the individuals involved, i.e. the people working on CopperheadOS.

I don’t think open government and volunteers working on areas they’re personally interested in is any kind of recipe for security. Debian shows the failure of that system. They don’t have most security fixes, only a large subset of the ones with CVEs assigned. Many packages like webkit don’t get security updates in Debian at all. It’s not done when it would be a lot of work, such as following upstream development rather than relying on a CVE being assigned for each security issue – which is actually rare, in the grand scheme of things.

“I don’t think open government and volunteers working on areas they’re personally interested in is any kind of recipe for security.”

Debian and FOSS projects in general, do not prevent or discourage paid people from working on it. It would be pretty awesome if paid security experts decided to contribute to the security team of Debian. So I don’t understand the reproach here. Many other companies have seen something lacking in a FOSS product or distro, and then put money into it to try to fix this, working *with* those projects – rather than implying that FOSS is a failure or inherently can’t do a particular task (e.g. systems security as you’re arguing).

Also, could you elaborate on your dislike for “open government”? Do you mean that the security decisions and processes of Copperhead, will not be open to public scrutiny?

We definitely appreciate the work Replicant has done, and hope we can include them somehow in this effort. The goal with the CopperheadOS layer was to start clean with Android 6, and move forward from there, with a focus on core security improvements. This is pretty different from what Replicant has done, but it doesn’t mean we can’t collaborate.

Not yet. Copperhead is built directly on the Android Open-Source Project (AOSP) code, which only supports Nexus devices. CopperheadOS would have to incorporate code from Samsung in order to add Galaxy support.

Okay awesome, was able to get a refurbed Nexus 5, for under $150, so I am going to be getting on this soon. I wish you guys the best of luck, and will be donating some BTC soon to show my gratitude, good luck with this, and this is what the privacy conscious community needs, AND the rest of the brainless sheep will beg for down the road.

Replicant addresses amongst other things the issue of modem isolation. What’s the situation for this on the Nexus’? And how is the privacy issue related to hardware addressed by the collaboration and the CobberheadOS.

Hi,
I am using Copperhead on my Nexus 5 and I am very happy whit this OS.
The only thing I miss is to filter the Traffic of Apps through the networkstack.
To give the Users a scalable Firewall will be great to have alsmost 100% Control over what commes in and goes out of the Devices.
Do you planing something like this.

On the Copperhead announcement, there is no link to a crowdfunding page, but just the statement, “A crowdfunding campaign with clear goals and timelines will be coming soon.” Why announce a crowdfunding campaign before you can even a link to the crowdfunding campaign? (Would have posted this on their page, but they don’t even have comments. Thank you Guardian Project for having comments!)

Xposed sounds like a great hacking project, but tinkering with the core of the OS is something that should never be undertaken lightly. I do not think you can provide real security when using Xposed. And anything that makes it easier to hack into your phone will definitely harm your privacy.

I agree that Xposed compromise security a little bit, but together with XPrivacy it protects user’s privacy better than anything else. You could disable downloads in Xposed and block root and network access to all other apps. I’m willing to compromise another layer of security to have far better privacy on my Nexus 5. Copperhead OS is a great project (equivalent of Hardened Gentoo) but lacks privacy features, especially advanced permission control.

My one concern with Copperhead OS is the Nexus Phones tend to be a lot more costly than the average journalist can afford in the developing world. Plus it might be handy to have a low cost burner phone for journalists.

Often the people who really need these types of devices (because their lives are in danger) are the ones that can’t afford them.

Of course we’d like to support a wide range of devices, including very cheap ones. Without big money behind a project like this, it is impossible to support a wide range of devices. We have to start somewhere, so Copperhead has chosen the devices that are the least work to provide real maintenance and support for.

One of the factors that limits the use of systems like Copperhead is that nowadays a lot of applications are dependent on Google Services. Here is a small list of apps I use frequently that would not run on Copperhead: Strava (for bikers and runners), Garmin (for bikers and runners), Spotify (music), United Airlines (for boarding passes) … and the list goes on and on. The Android operating system has created an ecosystem by sucking on all these app vendors, from which it is hard to detach. And for some of these there are not very goodf alternative apps in FDroid.